"I think this attack is extremely severe because it allows full session hijack and is easily automated," Graham wrote in the Github post containing the tool.

"I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam."

He wrote on YCombinator that Facebook's security team said the flaw was previously reported and that Instagram was deploying HTTPS "for all endpoints". Menlo Park reportedly noted that the need to attack via man-in-the-middle on public networks made the attack difficult for most punters, a claim which he rejected.

"I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart."

Facebook acknowledged the flaw adding it was working on deploying HTTPS.

Instagram was deploying HTTPS across its network including Instagram Direct launched late last year.

Latency-sensitive read endpoints such as the Instagram main feed would be slapped with HTTPS as performance issues were addressed.

Speediness was one of the bug bears with HTTPS deployments. In 2012, hipster bazaar Etsy detailed the problems it encountered as it deployed HTTPS, HTTP Strict Transport Security and two factor authentication, including a "thrilling explosion" of errors. ®